Flows not exported to Security Intelligence and 'get intelligence flows stats' nsxcli command shows 'Service is disabled' after quickly toggling metrics mode on SSP
search cancel

Flows not exported to Security Intelligence and 'get intelligence flows stats' nsxcli command shows 'Service is disabled' after quickly toggling metrics mode on SSP

book

Article ID: 432561

calendar_today

Updated On:

Products

VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

Disable and re-enable of metrics data collection mode on SSP UI within a couple of seconds, causes ESX hosts to stop exporting flows to Intelligence.
The nsxcli command “get intelligence flows stats” reports "Service is disabled" even though “get intelligence flows config” shows data collection as enabled. Flows are not visible in Security Explorer on SSP UI.

Environment

NSX releases 4.2.1 and later releases, 9.0.x, 9.1
SSP 5.0, 5.1 and 5.1.1

Cause

Disabling metrics mode incorrectly resets the Kafka broker state on the ESX host, destroying active broker and topic handles used for flow export. As a result, flows are no longer exported to Security Intelligence on SSP.
In order to verify this, Issue the following nsxcli commands on a affected ESX host:
- nsxcli -c get intelligence flows config - Output shows 'Enabled: True'
- nsxcli -c get intelligence flows stats - Output shows 'Service is disabled'

Resolution

Apply the following workaround:

  1. From SSP UI, disable "Metrics" data collection and wait for 10 seconds.
  2. From SSP UI, enable "Metrics" data collection.
  3. Verify flow export is restored by issuing the following nsxcli command on any of the affected host:
  4. nsxcli -c get intelligence flows config - Output is expected to show 'Enabled: True'
  5. nsxcli -c get intelligence flows stats - Output is expected to show kafka topic specific stats instead of "Service is disabled."
  6. Confirm flows are visible on Security Intelligence.
Powered by Wolken Software